Buckaroo uses various security measures to ensure the integrity and authenticity of transactions. These measures include:

  • Digital Signatures
  • HTTPS certificates
  • Two-factor authentication for logging in.

Digital Signatures

Buckaroo uses a digital signature for each transaction to verify the sender and ensure that the message is not altered during transport. The signature is a hash of all fields in the message, combined with a secret key. This secret key can be set in the Payment Plaza under Settings > Security.

Calculation of the Digital Signature:

  1. List all fields in the payment request starting with brq_, add_, or cust_, except brq_signature, formatted as brq_fieldname=value.
  2. Sort this list alphabetically by field name, ignoring case sensitivity.
  3. Concatenate all parameters into one string without separators or whitespace.
  4. Add the pre-shared secret key at the end of the string.
  5. Calculate a hash from this string using the selected SHA algorithm and return the hash in hexadecimal format.

📘

Note

When verifying a received signature, first url-decode all the field values (only if
the programming platform you use doesn’t do this automatically). A signature is always calculated over the non-encoded values (i.e The value “J.+de+Tester” should be decoded to “J. de Tester”). If any issue occurs with encoding and decoding the values, please check the option ‘Enable double encoding on redirect data’ to alter the way the redirect data from the Buckaroo system to your website is encoded


HTTPS Certificates

All Buckaroo websites are secured with HTTPS certificates to ensure safe data transfer between the Merchant’s website and Buckaroo.

Explanation

The Buckaroo payment environment uses SSL certificates, indicated by a padlock icon and URLs starting with HTTPS. Buckaroo recommends implementing both the online store checkout and the redirect page in an HTTPS-secured environment. This way, the data is illegible in case it gets intercepted on the internet.

Warning

When customers return to an unprotected "Thank You" page, they might receive a security warning.

Measure

To avoid error messages, it is crucial to secure the Thank You page with an SSL certificate. Change the URL from http://return.merchantnaam.nl to https://return.merchantnaam.nl.

To verify that the return URL is working properly:

  1. Extract the URL from the message to Buckaroo.
  2. Place the URL in a browser.

If the URL doesn't work, check that it starts with HTTPS. An unsecured Thank You page can cause issues, especially on the Safari browser for iPad and iPhone. This may prevent users from proceeding, resulting in incomplete payments and conversion loss.